-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Konstantin,
On 3/14/14, 11:28 AM, Konstantin Kolinko wrote: > 2014-03-14 19:04 GMT+04:00 Christopher Schultz > <ch...@christopherschultz.net>: >> Joseph, >> >> On 3/14/14, 9:49 AM, Joesph Bleau wrote: >>> I should also mention that after some very simple testing I >>> was able to confirm that (of course) Tomcat is notifying my >>> application when the session is invalidated in a valve. I'm >>> still fairly new to this entire stack, so forgive my ignorance. >>> :-) >> >> No problem. Tomcat does in fact change the session id, but only >> *after* a successful authentication (but before the session is >> blessed with authentication information). I believe you said >> something about changing the session id when the user accesses >> the login page -- regardless of whether the authentication >> attempt is successful. Tomcat doesn't do that. > > Tomcat does that. > > For FORM authentication the session id is changed twice. This > security feature is CVE-2013-2067. Thanks for the clarification. I didn't know that Tomcat did a double-id-change. Just because you're paranoid doesn't mean they aren't watching you. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTI03AAAoJEBzwKT+lPKRYphEP/3uedBe7PQYNLZatALVYAb3q Yd4BjzXrG5VtgC+lySsT0JM5199j/kzQo+eb+P/SQFcBmElJahq/xd/srGEXXTHb /fO20+Pu9uz2ZRzWo8bXxcZg3kdGGYKflyuKpiwAk7tMkAqUWuOL+b31JF2Rz+2P u6xD+SHF8wLTqN012/l7R3aTI4ZdIwgeSpRVgL6ojU2hobA+99A14jDIBmjaWW9/ wyylFTSuzTKzCFcvo5+gylf5+MS2MKyhL/9GWAz5Ae+Vc6mANzjulJyGNfPVRpdc RdX6AC8EHAQYjlnvqWHiXjMb6jRri0v9QDyXTrPd4TtGU/ofpnoKLutACa/9nj+J +juUI4b8YlcHTSMt4WLTmiJEZXjR7qiULD7AEkpVZEHEChzYlcqx9ORbOgNRViNN 3Xz98G2zdlZccZndG2eaKsOzXwUYyjwvWiIddbclT7GcDKwFZ4E/jxEUI/snxCAs t60eYaTlptIBQ6LYuvFIJY8nWBFwpcG4GW2Ulwbt3NXtlwgy0MPVKuk8lXmyyauM 4IM4keiQdBjB8e4PSNuJ06yk70rjLcjb4kUgCLklqZ1V9y5vRb+MngCrKbJTc1XK AsPgjOZPGuizZp6nKkZv0zuPnmCYgM8VPynuVE+Nd+REdwcLCWYHk70aKvkg+axj JNceTVGfXDKdxtUHvvJr =r6br -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
